Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19469
Views
0
Helpful
2
Replies

DOT1X-5-FAIL: Authentication failed for client

akgupt89
Level 1
Level 1

‎05-15-2021 11:20 AM

I have configured my access switch interfaces with DOT1X authentication from Radius server. And my end host connected with these interfaces are getting their IP from DHCP server. But since my end host clients are not able to authenticate successfully, hence DHCP is not assigning them IP. I am able to ping the ISE servers from switch. Kindly suggest possible solution or do I need to check with ISE server owner.

Below is the logs captured from switch.

 

switch#sh logging | i 1/23
May 14 2021 21:02:46.033 UTC: %DOT1X-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) on Interface Gi1/23
May 15 2021 03:01:44.304 UTC: %DOT1X-5-FAIL: Authentication failed for client (xxxx.xxxx.xxxx) on Interface Gi1/23
switch#sh run int gig1/23
Building configuration...

Current configuration : 1040 bytes
!
interface GigabitEthernet1/23
switchport access vlan XXXX
switchport mode access
switchport voice vlan YYYY
ip access-group ACL-NAME in
no logging event link-status
speed auto 10 100 1000
authentication event fail action next-method
authentication event server dead action authorize vlan XXXX
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication timer inactivity server
authentication violation restrict
mab
snmp trap mac-notification change added
no snmp trap link-status
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip dhcp snooping limit rate 15
end

 

switch# sh run | i dot1x

aaa authentication dot1x default group ISE_SERVERS

aaa accounting dot1x default start-stop group ISE_SERVERS

6 people had this problem
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎05-15-2021 01:06 PM

Hi Friend, 
this Mode is called Low-Mode,
Low-Mode is the mode that config VLAN DATA for the interface and config the pre-Auth ACL, 

the Flow is as Following :-

1- the client connect to interface it get vlan as you config 
2- the client is limit access depend on the Pre-Auth you config 
3- if the client success 802.1x then the Radius will send dACL to make the client full access 
4- if the client not success then it will try MAB "as your config"
5- the client also failed the MAB then what happened ?
A- Next-method only if you config the WebAuth
B- Failed VLAN 

you config the next-method without WebAuth and this meaning return to first step, and this make port closed and this loop is continuos.

change the failed from next-method to VLAN X "full access" 

0 Helpful

shixeliyevanazrin
Level 1
Level 1

‎10-28-2023 01:07 AM

Could anybody find what caused this problem? any solution?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card